- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
10-18-2013 01:44 AM
Hello,
I want to test the pre-logon feature of GlobalProtect in our environment.
Our clients are using two factor authentication (eToken) for the windows login. So they don't know their windows credentials.
We have already installed machine certificates on our clients and the authentication with this certificate works with GlobalProtect. Also when using Windows login without eToken, it works with SSO and LDAP auth.
But now, i have to get it working for the eToken-Users:
After the user logs into Windows with his eToken (two factor) he always gets prompt to enter the password of his eToken and the authentication fails.
Is there a way to configure Pre-Logon for Two-Factor-Auth-Users? GlobalProtect requires an username in the configuration; either in the certificate profile - (currently set to none) or selecting an secondary authentication profile - (currently set to LDAP).
Or is GlobalProtect Pre-Logon feature not optimized for this way of authentication? Or can we just use the machine certificate without any username or user authentication?
11-04-2013 04:46 AM
I don't know eToken. But your users do have a Windows account, right ? Even if they don't know...
Should work with SSO, but I guess GP needs to login manually once with the user login to get the client config file. Maybe you can deploy the client config file in another way...
11-05-2013 02:12 AM
our clients only have the PIN from their Token for the two factor authentication and not the windows password. So they are not able to authenticate via LDAP. So GP with LDAP Authentication wouldn't work.
11-05-2013 02:13 AM
(May GP can authenticate without User-Authentication. Only with machine-certificate. Doesn't matter which user logins in....)
11-05-2013 02:36 AM
Hi I think tthat you can't use the etoken as second factor authentication method with prelogon method.
but you could use the client certificate as second factor method. but you need to use windows credential with prelogon it' a mandatory.
regard's
11-05-2013 04:12 AM
Sadly not. Because I can only choose certificates with a private key. And we imported our CA - certificate without the key.
But anyway, I have to specify, where GP/PA can find the user information(/name) of the remote client.
So I guess, we can forget the pre-logon feature with our token clients. But I will request it as a feature request.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!